Signing Weblog Comments with PGP or GPG

posted Feb 12, 2004

[re: signing weblog comments] There could be a niche for a minimalist “sign this text” application, if PGP were to soak into general net infrastructure. - Mark Pasc

Pondering the comment issue, I've come to the same conclusion. PGP and GPG are a little too excited about high levels of security, and seem to feel that it's more important that everybody immediately jump to 100% then to allow a more gradual use of the system. (As a result, nobody does; a better way to get people's toes in the water then WWW commenting I can't imagine, but that's not an option, so instead of a 90% solution, we get a 0% solution.) I'd like to see a key type that explicitly says "I'm a low security key! My public component may be hosted on a somewhat insecure webserver, and there is at least some responsibility on the part of my owner to make sure I'm still secure!"

It's good that PGP/GPG make it possible to have a really, ultra strong key tying into an ultra-strong web of trust that makes it almost impossible to get someone's private key, but I don't think it is good that it seems to require that mode of operations. There is a serious need for lower-stakes, lower difficulty, lower security signing. When signing comments, I don't really care that you know that I am THE ONE AND ONLY JEREMY PAUL BOWERS VALIDATION NUMBER #984375249875, I mostly just care that I can validate "I am the same person who said that comment over there, and here is the signature to prove it".


Site Links


All Posts